Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title MIT Kerberos 5: User-assisted execution of arbitrary code
Informations
Name GLSA-201412-53 First vendor Publication 2014-12-31
Vendor Gentoo Last vendor Modification 2014-12-31
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Cvss Base Score 8.5 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A vulnerability has been found in MIT Kerberos 5, possibly resulting in arbitrary code execution or a Denial of Service condition.

Background

MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol.

Description

Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could execute arbitrary code with the privileges of the process or cause Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All MIT Kerberos 5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.13"

References

[ 1 ] CVE-2014-4341 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4341
[ 2 ] CVE-2014-4343 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4343
[ 3 ] CVE-2014-4345 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4345
[ 4 ] CVE-2014-5351 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5351

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-53.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201412-53.xml

CWE : Common Weakness Enumeration

% Id Name
25 % CWE-415 Double Free
25 % CWE-255 Credentials Management
25 % CWE-189 Numeric Errors (CWE/SANS Top 25)
25 % CWE-125 Out-of-bounds Read

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:25491
 
Oval ID: oval:org.mitre.oval:def:25491
Title: DSA-3000-1 krb5 - security update
Description: Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos.
Family: unix Class: patch
Reference(s): DSA-3000-1
CVE-2014-4341
CVE-2014-4342
CVE-2014-4343
CVE-2014-4344
CVE-2014-4345
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25901
 
Oval ID: oval:org.mitre.oval:def:25901
Title: SUSE-SU-2014:1028-1 -- Security update for krb5
Description: This MIT krb5 update fixes a buffer overrun problem in kadmind.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1028-1
CVE-2014-4345
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26458
 
Oval ID: oval:org.mitre.oval:def:26458
Title: USN-2310-1 -- krb5 vulnerabilities
Description: Several security issues were fixed in Kerberos.
Family: unix Class: patch
Reference(s): USN-2310-1
CVE-2012-1016
CVE-2013-1415
CVE-2013-1416
CVE-2013-1418
CVE-2013-6800
CVE-2014-4341
CVE-2014-4342
CVE-2014-4343
CVE-2014-4344
CVE-2014-4345
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26718
 
Oval ID: oval:org.mitre.oval:def:26718
Title: RHSA-2014:1255: krb5 security update (Moderate)
Description: Kerberos is an authentication system which allows clients and services to authenticate to each other with the help of a trusted third party, a Kerberos Key Distribution Center (KDC). A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345) All krb5 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc and kadmind daemons will be restarted automatically.
Family: unix Class: patch
Reference(s): RHSA-2014:1255-00
CVE-2014-4345
CESA-2014:1255
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26856
 
Oval ID: oval:org.mitre.oval:def:26856
Title: ELSA-2014-1255 -- krb5 security update (Moderate)
Description: Kerberos is an authentication system which allows clients and services to authenticate to each other with the help of a trusted third party, a Kerberos Key Distribution Center (KDC). A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345) All krb5 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc and kadmind daemons will be restarted automatically.
Family: unix Class: patch
Reference(s): ELSA-2014-1255
CVE-2014-4345
Version: 3
Platform(s): Oracle Linux 5
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26907
 
Oval ID: oval:org.mitre.oval:def:26907
Title: DEPRECATED: SUSE-SU-2014:1028-1 -- Security update for krb5
Description: This MIT krb5 update fixes a buffer overrun problem in kadmind.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1028-1
CVE-2014-4345
Version: 4
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26912
 
Oval ID: oval:org.mitre.oval:def:26912
Title: AIX NAS denial of service vulnerability
Description: MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4341
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26917
 
Oval ID: oval:org.mitre.oval:def:26917
Title: RHSA-2014:1389: krb5 security and bug fix update (Moderate)
Description: Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC. It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418, CVE-2013-6800) A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344) A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345) Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application. (CVE-2014-4341, CVE-2014-4342) A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343) These updated krb5 packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes. All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
Family: unix Class: patch
Reference(s): RHSA-2014:1389-01
CVE-2013-1418
CVE-2013-6800
CVE-2014-4341
CVE-2014-4342
CVE-2014-4343
CVE-2014-4344
CVE-2014-4345
CESA-2014:1389
Version: 5
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26961
 
Oval ID: oval:org.mitre.oval:def:26961
Title: AIX NAS double-free in SPNEGO
Description: Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4343
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27032
 
Oval ID: oval:org.mitre.oval:def:27032
Title: ELSA-2014-1389 -- krb5 security and bug fix update
Description: [1.10.3-33] - actually apply that last patch [1.10.3-32] - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345, #1128157) [1.10.3-31] - ksu: when evaluating .k5users, don't throw away data from .k5users when we're not passed a command to run, which implicitly means we're attempting to run the target user's shell (#1026721, revised) [1.10.3-30] - ksu: when evaluating .k5users, treat lines with just a principal name as if they contained the principal name followed by '*', and don't throw away data from .k5users when we're not passed a command to run, which implicitly means we're attempting to run the target user's shell (#1026721, revised) [1.10.3-29] - gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344, #1121510) - gssapi: pull in proposed-and-accepted fix for a double free in initiators (David Woodhouse, CVE-2014-4343, #1121510) [1.10.3-28] - correct a type mistake in the backported fix for CVE-2013-1418/CVE-2013-6800 [1.10.3-27] - pull in backported fix for denial of service by injection of malformed GSSAPI tokens (CVE-2014-4341, CVE-2014-4342, #1121510) - incorporate backported patch for remote crash of KDCs which serve multiple realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, more of [1.10.3-26] - pull in backport of patch to not subsequently always require that responses come from master KDCs if we get one from a master somewhere along the way while chasing referrals (RT#7650, #1113652) [1.10.3-25] - ksu: if the -e flag isn't used, use the target user's shell when checking for authorization via the target user's .k5users file (#1026721) [1.10.3-24] - define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that it's declared (#1059730) [1.10.3-23] - spnego: pull in patch from master to restore preserving the OID of the mechanism the initiator requested when we have multiple OIDs for the same mechanism, so that we reply using the same mechanism OID and the initiator doesn't get confused (#1087068, RT#7858) [1.10.3-22] - add patch from Jatin Nansi to avoid attempting to clear memory at the NULL address if krb5_encrypt_helper() returns an error when called from encrypt_credencpart() (#1055329, pull #158) [1.10.3-21] - drop patch to add additional access() checks to ksu - they shouldn't be resulting in any benefit [1.10.3-20] - apply patch from Nikolai Kondrashov to pass a default realm set in /etc/sysconfig/krb5kdc to the kdb_check_weak helper, so that it doesn't produce an error if there isn't one set in krb5.conf (#1009389) [1.10.3-19] - packaging: don't Obsoletes: older versions of krb5-pkinit-openssl and virtual Provide: krb5-pkinit-openssl on EL6, where we don't need to bother with any of that (#1001961) [1.10.3-18] - pkinit: backport tweaks to avoid trying to call the prompter callback when one isn't set (part of #965721) - pkinit: backport the ability to use a prompter callback to prompt for a password when reading private keys (the rest of #965721) [1.10.3-17] - backport fix to not spin on a short read when reading the length of a response over TCP (RT#7508, #922884) [1.10.3-16] - backport fix for trying all compatible keys when not being strict about acceptor names while reading AP-REQs (RT#7883, #1070244)
Family: unix Class: patch
Reference(s): ELSA-2014-1389
CVE-2013-1418
CVE-2013-6800
CVE-2014-4341
CVE-2014-4344
CVE-2014-4345
CVE-2014-4342
CVE-2014-4343
Version: 4
Platform(s): Oracle Linux 6
Product(s): krb5
krb5-devel
krb5-libs
krb5-pkinit-openssl
krb5-server
krb5-server-ldap
krb5-workstation
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27784
 
Oval ID: oval:org.mitre.oval:def:27784
Title: SUSE-SU-2014:1410-1 -- Security update for krb5 (low)
Description: This update for krb5 fixes the following issues: * When randomizing the keys for a service principal, current keys could be returned. (CVE-2014-5351) * klist -s crashes when handling multiple referral entries. (bnc#890623) Security Issues: * CVE-2014-5351 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1410-1
CVE-2014-5351
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28128
 
Oval ID: oval:org.mitre.oval:def:28128
Title: Return only new keys in randkey
Description: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.
Family: unix Class: vulnerability
Reference(s): CVE-2014-5351
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 67
Os 1
Os 1
Os 1
Os 5
Os 1
Os 1
Os 4
Os 4
Os 3
Os 1

Nessus® Vulnerability Scanner

Date Description
2018-02-01 Name : The remote Debian host is missing a security update.
File : debian_DLA-1265.nasl - Type : ACT_GATHER_INFO
2018-01-11 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL15552.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-0290-2.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-0290-1.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20150305_krb5_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-37.nasl - Type : ACT_GATHER_INFO
2015-03-18 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-03-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-03-10 Name : The remote Fedora host is missing a security update.
File : fedora_2015-2382.nasl - Type : ACT_GATHER_INFO
2015-03-05 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-02-26 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_dbf9e66cbd5011e4a7ba206a8a720317.nasl - Type : ACT_GATHER_INFO
2015-02-12 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2015-128.nasl - Type : ACT_GATHER_INFO
2015-02-11 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2498-1.nasl - Type : ACT_GATHER_INFO
2015-01-27 Name : The remote AIX host has a version of NAS installed that is affected by an inf...
File : aix_nas_advisory2.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_kerberos_20141216.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_kerberos_20141120.nasl - Type : ACT_GATHER_INFO
2015-01-02 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201412-53.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0034.nasl - Type : ACT_GATHER_INFO
2014-11-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-224.nasl - Type : ACT_GATHER_INFO
2014-11-18 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-443.nasl - Type : ACT_GATHER_INFO
2014-11-13 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_krb5-201410-141002.nasl - Type : ACT_GATHER_INFO
2014-11-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1389.nasl - Type : ACT_GATHER_INFO
2014-11-04 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20141014_krb5_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-10-17 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1389.nasl - Type : ACT_GATHER_INFO
2014-10-14 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140916_krb5_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-10-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1389.nasl - Type : ACT_GATHER_INFO
2014-10-14 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1255.nasl - Type : ACT_GATHER_INFO
2014-10-10 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL15553.nasl - Type : ACT_GATHER_INFO
2014-10-09 Name : The remote Fedora host is missing a security update.
File : fedora_2014-11940.nasl - Type : ACT_GATHER_INFO
2014-10-01 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1245.nasl - Type : ACT_GATHER_INFO
2014-09-18 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1255.nasl - Type : ACT_GATHER_INFO
2014-09-18 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1255.nasl - Type : ACT_GATHER_INFO
2014-09-18 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1245.nasl - Type : ACT_GATHER_INFO
2014-09-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1245.nasl - Type : ACT_GATHER_INFO
2014-09-12 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-165.nasl - Type : ACT_GATHER_INFO
2014-09-04 Name : The remote AIX host has a version of NAS installed that is affected by multip...
File : aix_nas_advisory1.nasl - Type : ACT_GATHER_INFO
2014-08-27 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9305.nasl - Type : ACT_GATHER_INFO
2014-08-21 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-508.nasl - Type : ACT_GATHER_INFO
2014-08-16 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_krb5-140812.nasl - Type : ACT_GATHER_INFO
2014-08-15 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9315.nasl - Type : ACT_GATHER_INFO
2014-08-12 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2310-1.nasl - Type : ACT_GATHER_INFO
2014-08-12 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_krb5-140729.nasl - Type : ACT_GATHER_INFO
2014-08-12 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-486.nasl - Type : ACT_GATHER_INFO
2014-08-10 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3000.nasl - Type : ACT_GATHER_INFO
2014-08-08 Name : The remote Fedora host is missing a security update.
File : fedora_2014-8176.nasl - Type : ACT_GATHER_INFO
2014-08-08 Name : The remote Fedora host is missing a security update.
File : fedora_2014-8189.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2015-01-03 13:26:01
  • Multiple Updates
2014-12-31 17:22:55
  • First insertion